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We propose an entanglement-based protocol for two people to simultaneously exchange their 
messages. We show that the protocol is asymptotically secure against the disturbance attack, the 
intercept-and-resend attack and the entangle-and-measure attack. Our protocol is experimentally 
feasible within current technologies. 
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■^j- , Sending or/and exchanging secret information has long been desired since language became a tool to communicate. 

^^ ' Up to date the most popular cryptosystem is the RSA protocol [l| whose security is based upon unproven mathematical 

assumptions, e.g., it is extremely hard to factorize a large integer. Because such a mathematically difficult task 

could be accomplished by an efficient quantum computation algorithm [2|, all the RSA-based privacy would be 

broken if scalable quantum computers come into being some day. Fortunately enough, however, laws of quantum 

mechanics can also be exploited to make provably secure distribution of secret information. This is known as quantum 

cryptography. Conventionally the problem reduces to the so called quantum key distribution (see, e.g., Q) which is 

nondeterministic since one never knows which transmitted bits will actually be used and which should be discarded 

"^ ■ during the distribution, and the number of discarded bits is at least one half of the total processed bits. Furthermore, 

the real message can only be read after the secret key (i.e., a sequence of random bits whose length is equal to that 

►^ ■ of the message) is established and shared between the two legitimate parties. 

f- ^ Recently, quite different quantum crytographic scenarios have been proposed [j, |fj |g, 0, la, 111 for secure commu- 

te) ■ nication without a prior secret key distribution. In particular, the so called ping-pong protocol (PPP) |6| allows 
7-H ' the encoded bit to be decoded instantaneously in each respective transmission run. In other words, the PPP pro- 
vides a quantum means of direct and deterministic communication. Nevertheless, the PPP supports only one-way 
communication and contains in itself some limitation. 

In this letter we first point out a drawback of the original PPP and then improve it towards a protocol, called 
quantum dialogue protocol, which enables both legitimate parties (Alice and Bob) to exchange their secret messages 
in a direct way, much like in a dialogue. 
SpH. In the original PPP (3 Bob is provided with a number of Einstcin-Podolsky- Rosen (EPR) pairs [l(j> all in the 

■*— > ' entangled state 

s ; 

l*o,o> w = 4(|i>JT> t + IT> h U>t), (i) 

where h stands for "home" , t for "travel" while ||) and ||) characterize two degrees of freedom of a qubit. In each run 
Bob keeps qubit h and "pings" qubit t to Alice. Alice encodes her information by performing Cq = 1* or C\ x — a\ 
(cr* z the Pauli matrices) on the qubit t depending on the value of her message bit is "0" or "1", then "pongs" the 
qubit t back to Bob who is able to decode Alice's secret bit with certainty by a Bell measurement on the /ii-pair. This 
is a message mode (MM). To check for eavesdropping Alice and Bob sometimes agree to switch to a control mode 
(CM) in which Alice measures qubit t in the bases B = {|J.) , ||)}, then, instead of "ponging", publicly announces her 
measurement outcome to Bob who can probabilistically detect the presence of Eve (the eavesdropper) by measuring 
qubit h (also in the bases B) and comparing his measurement outcome with Alice's. 

The serious drawback suffered by the PPP is the following. Since MM operates in a "ping-pong" manner while CM 
operates just in a "ping" one, Eve can easily avoid all control runs and manipulate qubits t in MM in such a way as 
to totally disturb the message meaning. For that purpose, Eve waits on the pong-route. If a qubit t comes out from 
Alice this is surely a run in MM. Eve may simply either measure the qubit t |8j or randomly apply either Cq or C\ 1 
on it. In the first situation the entanglement between qubits h and t is destroyed. In the second situation the phase 
of the EPR-pair changes randomly. In both situations Eve remains undetected and what Bob decodes is nothing else 
but a random sequence of bits that contains no information at all. This is a kind of denial-of-service attacks. Here 
we refer to it as disturbance attack for short. 
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To protect against such a disturbance attack we modify the CM as follows. After manipulation of a qubit t Alice 
always "pongs" the qubit t back to Bob. The modified CM is a mode in which Alice lets Bob know her encoding 
transformation which then allows Bob to detect Eve by analyzing the outcome of his Bell measurement on the EPR- 
pair. The point of the modification is that Eve cannot distinguish between MM and CM since both modes now 
operate in the same "ping-pong" manner (compare with the original PPP in which MM and CM are distinguishable: 
MM is "ping-pong" like but CM is "pong" like). 

The modified PPP is good against the disturbance attack mentioned above but it is insecure by the following 
intercept-and-resend attack. On the ping-route Eve gets the qubit t and keeps it with her. Afterwards she creates 
her own entangled pair in the same state as in Eq. Jy, i.e., Eve's pair state is 

\*w) HT = ±=(\l) H W) T + W) H \l) T ) t (2) 

and sends her qubit T to Alice. Alice would take T for t, encodes her message bit by performing an appropriate 
transformation as described above and "pongs" the qubit T back to Bob. On the pong-route Eve gets back the 
transformed qubit T, carries out a Bell measurement on the iJT-pair to learn Alice's secret bit. By the same Bell 
measurement Eve knows the encoding transformation Alice performed on the qubit T. Eve then applies the same 
transformation on the qubit t she has kept and "pongs" it back to Bob. Clearly, Alice's message is readable not only 
to Bob but also to Eve and, even worse, Eve's tampering is absolutely unnoticeable. 

To rescue the modified PPP against the intercept-and-resend attack we further improve it in such a way so that 
the initial entangled pairs of Bob are not all in the same state \^o,o)} lt but they must be somehow chosen each time 
as one among the four mutually orthogonal Bell states \^k,l)h,t = G\ i l^ , o,o)/ lt where Cp , Cq 1 , C\ and C\ x denote 
1 , cr*, <7* and <r*, respectively. The choice may be random or in some secret fashion unknown to Eve. The latter 
alternative suggests a quantum dialogue protocol which will be detailed now. 

Suppose that Alice has a secret message consisting of 2JV bits [ll| , 

Alice's message = {(h,ji), (z 2 , jz), ■■■, (inJn)}, (3) 

with i n ,j n € {0, 1} and, Bob has another secret message consisting of 2M bits [ll|, 

Bob's message = {(ki,h), (k 2 ,h), ■■■, (fcjw, Im)}, (4) 

with k n ,l n £ {0, 1}. Without loss of generality we can set N — M 12]. To securely exchange their messages or, in 
other words, to carry out a secret dialogue, Bob first produces a large enough number of entangled pairs, all in the 
state \^o,o)ht^ ^1- 0- Then Bob and Alice proceed as follows. 

1. Set n = 0. 

2. Set n = n + 1. Bob encodes his bits (k n , l n ) by applying C l k l on the state |4 , o,o)/ l , , keeps qubit h n with him 

and pings qubit t n to Alice. Then Bob lets Alice know that |13| . 

3. Alice confirms Bob that she received a qubit [lj]. Then she encodes her bits (i n ,jn) by performing the transfor- 

mation C\ on that qubit and pongs it back to Bob. 

4. Having been aware of Alice's confirmation, Bob performs a Bell measurement on the two qubits 15] with the result 

in state \^x n ,y n ) h t (x n , Vn G [0, 1]), and waits for Alice to tell him that was a run in MM or in CM. 

4.1. If it was a MM run, Bob decodes Alice's bits as (i n = \x n — k n \,j n = \y„ — l n \), then publicly announces 
the values of (x n , y n ) to allow Alice also to decode Bob's bits as (k n = \x n — i n \, l n = \y n — j n \)- Afterwards 
the protocol proceeds to Step 5 if n = N or to Step 2 if n < N. 

4.2. If it was a CM run, Alice publicly reveals the value of (i n ,jn) for Bob to check the eavesdropping: if both 
in = \x n — k n \ and j n = \y n — l n \ hold, the process continues, i.e., Bob sets n — n — 1 and goes to Step 2; 
otherwise the process is reinitialized by going to Step 1. 

5. The dialogue has been successfully completed. 

We now explicitly analyze the quantum dialogue protocol described above. After Bob encodes his bits (k, I) on the 
EPR-pair state l^o.o)^) the pair state becomes l^fc,;),^, i.e., 

l*o,o) w -»|*M> W = C it,il*o,o> w . (5) 



Since 



CijC kl — <Pi,j;k,lC i Q kt j <s i, (6) 



where the © denotes an addition mod 2 and <pij-k,i is a phase factor {<f>i j-k,i = 1 or ±j depending on the values of 
i, j, k, I |lra|). Further, after Alice's encoding, the state \^k,i) ht of the qubit pair is transformed as 

|*M>fct -» C h I**.»)m = C L C M l*o,o) ht = 0*jjfc,i |*<©fcj©i> ht • (7) 

Clearly, if the outcome of Bob's Bell measurement is (x,y), then Bob can easily decode Alice's bits as (i — \x — 
tyij = \y ~ 'I) because Bob knows his bits (k,l). At the same time, Alice can also easily decode Bob's bits as 
(k = \x — i\, I = \y — j\) because Alice knows her bits (i,j) and the values of (x, y) broadcasted by Bob. The crucial 
merit is that, although Eve knows (x, y) as well (through Bob's public broadcasting), she can by no means, except 
a pure guess, read either Alice's or Bob's message because none of the bits (i,j, k, I) are known to her. By the same 
reason Eve faces a detection probability of 3/4 per CM run in both the disturbance attack and the intercept-and- 
resend attack. Let JV be the total number of the protocol runs among which there are Mmm runs in MM and Mcm 
runs in CM: M = Mmm +Mcm- The probability of a CM run is thus c = Mcm/M. For M = 1, 2, 3, . . . the probability 
of detecting Eve is 3c/4, 3c/4 + 3c(l - 3c/4)/4, 3c/4 + 3c(l - 3c/4)/4 + 3c(l - 3c/4) 2 /4, . . ., respectively. Therefore, 
after M runs the total detection probability is 

For messages of 2N bits (see Eqs. © and Q) to be entirely exchanged, Alice and Bob need Mmm = N runs in MM. 
Taking this into account we can re-express Eq. JSJ) in terms of TV (i.e., of message half-length) as 

N 

Transparently, for any possible value of c (0 < c < 1), D tends to unity in the limit of large N (long message). The 
greater the value of c the higher the speed at which D approaches unity. 

Besides the two above-discussed attacks, there is another kind of attack by which Eve could gain a partial infor- 
mation. Let us call it entangle-and-measure attack which acts in the following way. Eve prepares an ancilla in the 
initial state \x) e an d waits in the ping-route. After Bob applies C l k l Eve entangles her ancilla with the qubit t by 
performing an unitary operation £ te defined as 

£ te \i) t \x) e - a||> t |xo>e + /?IT>Jxi> e . (10) 

£ te |T) t rX>e = a|T>tlX0> e +/?|!>tlXl>e. ( U ) 

with a, (3 (assumed to be real) satisfying the normalization condition a 2 + /3 2 = 1 and {|xo) e , lxi) e } being the pure 
orthonormalized ancilla's states uniquely determined by the unitary operation £ te . Subsequently, Eve lets the qubit 
t going on to Alice. The total system state (/it-pair plus ancilla) before reaching Alice is 

\%in 3 ) hte = £ te C{ l \^ ) ht \ X ) e 

= o|*fc,i>fctlxo) e + /3^o,iiWl*fc,iei>fctlXi> e - (12) 

On the pong-route, after Alice encodes her bits by C\ ■ Eve measures her ancilla in attempt to gain Alice's information. 
Since the total system state at the measurement time is given by 

1*1 'pong/ ' hte = (^i t j \®ping) hte 

= a4>i,j;k,l \^i®k,j®l) ht \Xo) e + P4>0,l;k,l4>i,j;k,l®l \^ i®k,j®l®l) ht \Xl) e j (13) 

Eve conceals herself if her measurement outcome ends up with |xo) e (with probability a 2 ). However, if she finds |xi) e 
(with probability /3 2 ), then \%ong) hte collapses into \'^ i ®k..j®i®i) ht which is orthogonal to \^i®k, 3 ®i) ht - Obviously, 
this enables Bob to detect Eve in a CM run. It is also clear that the detection probability of the entangle-and-measure 
attack is 1 per CM run and cj3 2 per protocol run. Therefore the proposed dialogue protocol is also asymptotically 
secure against the entangle-and-measure attack since its total detection probability D' ', 

D' = 1-(1-c/? 2 )t^, (14) 



approaches unity in the long-message limit for any possible values of c and (3. 

To evaluate how much information Eve could gain when there is no control run we calculate the von Neumann 
entropy S{p e ) of the Eve's reduced density matrix p e . From Eq. I|13|l . we obtain 

Pe = Tr ht {\%ong) hte (%ong\) = O? |Xo) e <Xo| +/?' Wl) e (Xl I ■ (15) 

Hence 

S( Pe ) = -(1 - f3 2 ) log 2 (l - /3 2 ) - p 2 log 2 1 . (16) 

It follows from Eq. JTSJ that 5 > iff [3 2 > (/3 2 e [0,0.5]), i.e., iff D' > 0. This means that any attempt to steal 
information causes a non-zero detection probability. To be undetected Eve should set (3 = 0. But by doing so no 
entanglement exists between the qubit t and the ancilla and, as a consequence, absolutely no information is leaked to 
Eve. 

In conclusion, we have proposed a quantum protocol for two legitimate parties to simultaneously exchange their 
secret messages. It modifies and improves the existing ping-pong protocol Q making subtle use of the superdense 
coding |l7j to double the quantum channel capacity. In fact, by the wise manipulation of two public bits (x,y) 
combined with a single-qubit t in a state of two entangled qubits, in a MM run four secret bits (i,j,k,l) can be 
processed: each party is able at the same time to send two secret bits as well as to read two other secret bits. Our 
protocol is shown to be asymptotically secure (i.e., the detection probability tends to 1 in the long- message limit) 
against the disturbance attack, the intercept-and-resend attack as well as the entangle-and-measure attack. As in 
the ping-pong protocol, our protocol is deterministic in the sense that, in the course of running, the participating 
parties surely know which run is in MM and which run is in CM. While qubits in CM are deterministically discarded, 
qubits in MM are read directly by both parties without a prior quantum key sharing. This looks like that Alice and 
Bob are "talking" to each other bit by bit, much as though a dialogue is going on between them; so comes the name 
"quantum dialogue" . In contrast to the ping-pong protocol here, thanks to the modification of CM, there is no need 
for both Alice and Bob to do single-qubit measurements. Hence, our quantum dialogue protocol seems even more 
feasible within present technologies as compared to the ping-pong protocol (see, e.g., the experimental feasibility of 
the ping-pong protocol in 0). 
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